Wim Taymans a12cc84df4 security: fix integer overflow in PulseAudio message read_arbitrary ... Memory Safety: High The read_arbitrary() bounds check used `m->offset + len > m->length` where len is an attacker-controlled uint32_t read from the PulseAudio protocol message. When m->offset is small and len is close to UINT32_MAX, the addition wraps around to a small value, bypassing the bounds check. This allows read_arbitrary() to return a pointer within the message buffer but report an enormous length to the caller, leading to out-of-bounds memory reads. Fixed by rearranging the arithmetic to use subtraction: `len > m->length - m->offset`, which cannot overflow since m->offset <= m->length is maintained as an invariant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>		2026-04-28 12:56:28 +02:00
..
daemon	filter-chain: update virtual surround with convolver2	2026-04-21 17:03:55 +02:00
examples	impl-node: accept more node.passive values	2026-03-12 17:25:36 +01:00
gst	gst: fix crop height typo in pipewiresink do_send_buffer	2026-04-21 20:19:24 +01:00
modules	security: fix integer overflow in PulseAudio message read_arbitrary	2026-04-28 12:56:28 +02:00
pipewire	debug: demote some info log to debug	2026-04-28 09:50:02 +02:00
tests	stream: return -EIO when doing get_time in != STREAMING	2026-02-12 12:26:33 +01:00
tools	security: add missing O_CLOEXEC/SOCK_CLOEXEC flags	2026-04-28 12:20:33 +02:00
meson.build	meson.build: fix compile with -Dexamples=disabled	2023-11-28 10:18:25 +00:00